Owner: @Mehmet

Reviewers: 🟢@Thomas Lavaur 🟢@Hong-Sheng Zhou 🟢@Daniel Kashepava 🟢@Álvaro Castro-Castilla 🟢@Daniel Sanchez Quiros

Introduction

Nomos utilizes zero-knowledge proof systems not only to ensure strong privacy and security guarantees across its decentralized architecture, but also to reduce the computational burden on validators by compressing execution into succinct proofs. Some of Nomos' cryptographic applications specifically use Groth16, a proof system renowned for its succinctness and efficient verification.

A critical requirement of Groth16 is the secure generation of a Common Reference String (CRS) through a one-time cryptographic ceremony, commonly known as a Trusted Setup Ceremony. This ceremony ensures that cryptographic parameters are generated in a decentralized manner, such that no individual participant can later compromise the security or privacy guarantees of the system.

Nomos adopts a secure, publicly verifiable, and auditable Multi-Party Computation (MPC) protocol known as Powers-of-Tau, performed over the BN254 elliptic curve as a first step for Groth16-based zero-knowledge proofs, and over the BLS12-381 elliptic curve for data availability via KZG polynomial commitments, to generate and extend these trusted setup parameters.

This document defines the cryptographic foundations and provides detailed instructions for securely performing or extending a trusted setup ceremony, including:

• Essential cryptographic definitions and parameters.
• Step-by-step guidance for participant contributions.
• Procedures for extending an existing Powers-of-Tau ceremony.

Overview

At a high level, the Powers-of-Tau ceremony generates a structured set of elliptic curve points corresponding to powers of a secret scalar $\tau$. These elements form the Phase 1 CRS that underpins both the Groth16 and KZG protocols in Nomos. For KZG, the CRS can be used directly. For Groth16, it can be extended in a short Phase 2 MPC to derive circuit-specific proving and verification keys, ensuring the underlying secret remains hidden as long as at least one participant discards their randomness. Nomos adopts an MPC setup ceremony: the Powers-of-Tau protocol.

Powers-of-Tau Ceremony Overview

• Each participant securely contributes randomness sequentially.
• Each participant iterates over the existing CRS parameters to update it.
• At least one participant must be honest and destroy their secret input to guarantee the security of ZK schemes using the CRS.
• All transformations are accompanied by publicly verifiable proofs, ensuring full auditability of the ceremony.

In the ceremony, a coordinator manages the sequential flow of contributions. Each contributor downloads the current CRS, applies their secret randomness, and sends the updated CRS back through the coordinator, who relays it to the next participant. At each step, an independent verifier can check that the update was performed correctly. Once all contributions are complete, the final CRS is published.

Security of Powers-of-Tau